Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] [ScreenOS] NSRP cluster periodically reports "Peer device in Virtual Security Device group changed state" message

0

0

Article ID: KB7726 KB Last Updated: 26 Mar 2021Version: 9.0
Summary:

NSRP cluster periodically reports the "Peer device in Virtual Security Device group changed state" message.


Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE). 
Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.
Symptoms:

The NSRP active/passive firewall reported the following errors in the event log about once a day:

2005-10-11 04:58:43 system crit  00015 Peer device 6123232 in the Virtual
                                       Security Device group 0 changed state
                                       from backup to primary backup.
2005-10-11 04:58:42 system crit  00015 Peer device 6123232 in the Virtual
                                       Security Device group 0 changed state
                                       from master to backup.
2005-10-11 04:58:41 system crit  00015 Peer device 6123232 in the Virtual
                                       Security Device group 0 changed state
                                       from undefined to master.

A cross-over cable was used to connect the HA interfaces of the firewall pair.

 

Solution:

If the NSRP HA interfaces between the primary and backup firewall are directly connected (that is, not connected through a Layer-2 switch or another Layer-2 device), then do not configure the set nsrp ha-link probe command.

The use of the NSRP ha-link probe command, when the firewall HA links are directly connected, may cause the NSRP cluster to appear as if the HA connection is flapping.

Use the set nsrp ha-link probe command, only if the HA links for the cluster members are connected to a layer-2 switch or another layer-2 device. Check if the ha-link probe is enabled or not by using the following command:

Firewall(M)-> get nsrp ha-link
total_ha_port = 2
probe on ha-link is enabled, interval 1s, threshold 5
unused channel: ha1 (ifnum: 5) mac: 001bc06ea2c5 state: disconnected(probe)
unused channel: ha2 (ifnum: 6) mac: 001bc06ea2c6 state: disconnected(probe)

If enabled, unset HA Link Probing by using the following command:

unset nsrp ha-link probe threshold 5

Note: When 'set nsrp ha-link probe' is configured, if the probes detect that the other node is missing, NSRP node will stop sending the heartbeat over control link. Only where probes detect another node as up, the heartbeat operation is resumed.

 

Modification History:

2021-03-24: Updated the article terminology to align with Juniper's Inclusion & Diversity initiatives
2021-02-11: Minor non-technical edits; article checked for accuracy; accuracy found relevant and valid

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search